Linux: Nginx as a WAF and reverse proxy (for WordPress running with Apache on cubieboard)

In my cubieboard saga, I continued installing Nginx to both accelerate and securise some Apache hosted sites.
Nginx is not always well supported by common  opensource web applications such as WordPress. However, it performs really well as a (cache) reverse proxy. Using Naxsi module you can also build a free and efficient WAF, making Nginx a nice opensource enhencer for Apache hosting.

The following describes how to install Nginx with the aforementioned functionalities on a cubieboard (1) running debian with a root filesystem on an sdcard.

Install base packages

plain and simple : install nginx + naxsi and start nginx at system startup

 

Reverse proxy configuration

Set main proxy settings…

…by editing the file /etc/nginx/proxy_params (it is possible to add settings in main nginx.conf, but its less clean IMHO):

 

Make some adjustments in the main nginx configuration file (/etc/nginx/nginx.conf).

  1. Define the number of worker process depending on how many cpu (core) should be used by nginx

     
  2. enable gzip to offload apache server

     
  3. Uncomment naxsi core rules (explained later)

     
  4. Include the proxy parameters file

     

Configure virtual host(s)

The following example is based on a WordPress site with an https encrypted backoffice. As a reverse proxy, Nginx will be used to offload Apache for ssl encryption.

Generate a self signed certificate

nothing special here :

 

Create the virtual host file in /etc/nginx/sites-available/<domain_name>

Every re-usable generic part is put in external files. This allow to use same configurations for multiple sites. A variable is used to store Ip adress  for some external config files.

 

External generic configurations files

  • base_reverse.conf : base configuration.

     

  • reverse_wp.conf : reverse proxy setting for every files (including dynamic php). Files are cached for 1h on the already defined cache entry “static”.
    Note the usage of the “$backend” variable that is set in the virtualhost configuration.
    The “naxsi_wordpress.rules” files contains the WAF rules to use (see next chapter)

     

  • reverse_nocache_wp : reverse proxy setting with no cache (for backoffice)

     

  • static_files.conf : reverse proxy optimised for static files (better cache, client rendering optimization…)

     

  • hardening.conf : basic security and spam protection hardening

     

  • blacklist.conf : black list bad user agent (from HackRepair.com). Lines below are two examples (the real file is way larger)

     

  • naxsi_location.conf : this file contains the location “/RequestDenied” that is called by naxsi on every forbidden request.

Waf configuration (naxsi plugin)

Default rules are stored in the file “naxsi_core.rules” which is included in the main config file “nginx.conf”.

Any other rule file should be included in virtualhost as rules are usualy specialized by host (different modules, or CMS software).

To build a rule file, Naxsi’s wiki gives a good base to start with:

With only theses rules, there is few chance to get a site working. To customize the rules file, the line “LearningMode” must be uncomment. This will let pass all queries but log every one which should be blocked.

So you can start browsing public and backoffice pages. When its done, a tool named “nx_util.py” is provided to parse error log file and generate a white list rules.

 

Finalize and launch

Create cache directories :

If cache is stored on a tmpfs filesystem (like on example files previsouly presented), theses lines can be added in  “/etc/rc.local” to recreate them on boot.

Enable site and restart nginx:

 

Note : if you want apache to log the real IP address of the visitor and not the nginx one, use mod_rpaf (package libapache2-mod-rpaf)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.